SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability

2005.10.26
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

SEC-CONSULT Security Advisory 20051025-0 ====================================================================== title: Snoopy Remote Code Execution Vulnerability program: Snoopy PHP Webclient vulnerable version: 1.2 and earlier homepage: http://snoopy.sourceforge.net found: 2005-10-10 by: D. Fabian / SEC-CONSULT / www.sec-consult.com ====================================================================== vendor description: --------------- Snoopy is a PHP class that simulates a web browser. It automates the task of retrieving web page content and posting forms, for example. Snoopy is used by various RSS parser, which are in turn used in a whole bunch of applications like weblogs, content management systems, and many more. vulnerabilty overview: --------------- Whenever an SSL protected webpage is requested with one of the many Snoopy API calls, it calls the function _httpsrequest which takes the URL as argument. This function in turn calls the PHP-function exec with unchecked user-input. Using a specially crafted URL, an attacker can supply arbitrary commands that are executed on the web server with priviledges of the web user. While the vulnerability can not be exploited using the Snoopy class file itself, there may exist implementations which hand unchecked URLs from users to snoopy. proof of concept: --------------- Consider the following code on a webserver: --- code --- <? include "Snoopy.class.php"; $snoopy = new Snoopy; $snoopy->fetch($_GET['url']); echo "<PRE>n"; print $snoopy->results; echo "</PRE>n"; ?> --- /code --- Requesting this code with a manipulated URL results in execution of arbitrary code (in this case "echo 'hello' > test.txt"). Please consider the following url one line: http://server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+ test.txt vulnerable versions: --------------- It seems that version 1.2 as well as some prior versions are vulnerable to the attack described above. recommended fix: --------------- Update to Snoopy version 1.2.1. vendor status: --------------- vendor notified: 2005-10-24 vendor response: 2005-10-24 patch available: 2005-10-24 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top